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An ellq)tic curve cnciyption system xqnesents 
cooniinatBs of a point on die curve as a vector 
of (nnary digits in a nonnal basts representation in 
Fvn, A key is genefated from multiple additions 
of one or mote points in a finite field. Invenes of 
values are computed using a finite field multiplier 
and succeuive exponentiatioas. A key is rqjiesented 
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the second. An encryption protocol using one of die 
coordinates and a further function of that coordinate 
is also described. 
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ELLIPTIC CURVE ENCRYPTION 8TSTEM8 

FIELD OF THE INVENTION 

5 The present invention relates to public key 

cryptography . 

The increasing use and sophistication of data 
transmission in such fields as telecommunications, 
10 networking, cellular communication, wireless 

communications, "smart card" applications, audio-visual 
and video communications has led to an increasing need 
for systems that permit data encryption, authentication 
and verification. 

15 

It is well known that data can be encrypted by 
utilizing a pair of keys, one of which is public and one 
of which is private. The keys are mathematically related 
such that data encrypted with the public key may only be 

20 decrypted with the private key and conversely, data 

encrypted with the private key can only be decrypted with 
the public key. In this way, the public key of a 
recipient may be made available so that data intended for 
that recipient may be encrypted with the public key and 

25 only decrypted by the recipient's private key, or 
conversely, encrypted data sent can be verified as 
authentic when decrypted with the sender ^s public key. 
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The most well known and accepted public key 
cryptosystems are those based on integer factorization 
and discrete logarithms in finite groups. In particular, 

the RSA system for modulus n - p - g where p and q 

5 are primes, the Dif f ie-Hellman key exchange and the 

ElGamal protocol in Zp , (pa prime) have been implemented 
worldwide. 

The RSA encryption scheme, where two primes p and q 
10 are multiplied to provide a modulus n, is based on the 
integer factorization problem. The public key e and 
private key d are related such that their product e-d 
equals Krnod 4>) where <t> = (p-1) Ig-l) . a message M is 
encrypted by exponentiating it with the private key e to 
15 the modulus n, [C ^ (mod n) ] and decrypted by 

exponentiating with the public key mod n = (mod n) ]. 
This technique requires the transmission of the modulus n 
and the public key and the security of the system is 
based on the difficulty of factoring "a large number that 
20 has no relatively small factors. Accordingly both p and 
g must be relatively large primes. 



One disadvantage of this system is that p and q must 
be relatively large (at least 512 bits) to attain an 
25 adequate level of security. With the RSA protocol this 
results in a 1024 bit modulus and a 512 bit ptiblic key 
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Which require significant bandwidth and storage 
capabilities. For this reason researchers have looked 
for public key schemes which reduce the size of the 
public key. Moreover, recent advances in analytical 
5 techniques and associated algorithms have rendered the 
RSA encryption scheme potentially vulnerable and 
accordingly raised concerns about the security of such 
schemes. This implies that larger primes, and therefore a 
larger modulus, need to be employed in order to maintain 
10 an acceptable level of security. This in turn increases 
the bandwidth and storage requirements for the 
implementation of such a scheme. 

Since the introduction of the concept of pxoblic key 
15 cryptography by Diffie and Hellman in 1976, the potential 
for the use of the discrete logarithm problem in public 
key ctyptosystems has been recognized. In 1985, ElGamal 
described an explicit methodology for using this problem 
to implement a fully functional public key cryptosystem, 
20 including digital signatures. This methodology has been 
refined and incorporated with various protocols to meet a 
variety of applications, and one of its extensions forms 
the basis for a proposed U.S. digital signature standard 
(DSS) . Although the discrete logarithm problem, as first 
25 employed by Diffie and Hellman in their public key 

exchange algorithm, referred explicitly to the problem of 
finding logarithms with respect to a primitive element in 
the multiplicative group of the field of integers modulo 
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a prizne p, this idea can be extended to arbitirairy ^proups 
(with the difficulty of the problem apparently varying 
with the representation of the group) • 

5 The discrete logarithm problem assvtmes that G is a 

finite group, and a and b are elements of G. Then the 
discrete logarithm problem for G is to determine a value 
X (when it exists) such that = i?. The value for x is 
called a logarithm of b to the base of a, and is denoted 
10 by log^. 

The difficulty of determining this quantity depends 
on the representation of G. For exsunple, if the abstract 
cyclic group of order in is represented in the form of the 

15 integers modulo la, then the solution to the discrete 
logarithm problem reduces to the extended Euclidean 
algorithm, which Is relatively easy to solve. However, 
the problem is made much more difficult if in-^l is a 
prime, and the group is represented in the form of the 

20 multiplicative group of the finite field F^^. This is 

because the computations must be performed according to 
the special calculations required for operating in finite 
fields. 

25 It is also known that by using computations in a 

finite field whose members lie on an elliptic curve, that 
is by defining a group structure G on the solutions of 
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y^+xy=x^+ax^+b over a finite field, the problem is again 
made much more difficult because of the attributes of 
elliptic curves. Therefore, it is possible to attain an 
increased level of security for a given size of key. 
5 Alternatively a reduced key nay be used to maintain a 
required degree of security. 

The inherent security provided by the use of 
elliptic curves is derived from the characteristic that 

10 an addition of two points on the curve can be defined as 
a further point that itself lies on the curve. Likewise 
the result of the addition of a point to itself will 
result in another point on the curve. Therefore, by 
selecting a starting point on the curve and multiplying 

15 it by an integer, a new point is obtained that lies on 
the curve. This means that where P = (x,y) is a point on 
an elliptic curve over a finite field [E{F^n) ], with x 
and y each represented by a vector of n elements then, 
for any other point R £ < P > (the subgroup generated by 

20 P), cfP B i?. To attack such a scheme, the task is to 
determine an efficient method to find an integer d, 
0 :fi cf i ( order of P) - l such that dP ^ R. To break such a 
scheme, the best algorithms known to date have running 
times no better than Oly/p) , where p is the largest prime 

25 dividing the order of the curve (the niuaber of points on 
the curve) . 
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Thus, in a cryptographic system where the integer d 
remains secret, the difficulty of determining d can be 
exploited* 

5 An ElGamal protocol of key exchange based on 

elliptic curves takes advantage of this characteristic in 
its definition of private and public keys. Such an 
ElGamal protocol operates as follows: 

10 1. In order to set up the protocol, where a message is 
to be sent from A to B, an elliptic curve must be 
selected and a point P - (x,y) , known as the 
generating point, must be selected. 

15 BnerTptlon 

2. The receiver, B, then picks a random integer d as 
his private key. He then computes dP, which is 
another point on the curve, which becomes his public 

20 key that is made available to the sender and the 

public. Although the sender knows the value dP, due 
to the characteristic of elliptic curves noted 
above, he has great difficulty determining the 
private key d. 

25 

3. The sender A, chooses another random integer ic,the 
session seed, and computes another point on the 
curve, kP which serves as a public session key. 
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This also exploits the characteristic of elliptic 
curves mentioned above. 

The sender. A, then retrieves the public key dP of 
receiver B and computes iccfP, another point on the 
c\urvei which serves as the shared encryption key for 
that session* 

The sender. A, then encrypts the message M with the 
encryption key to obtain the ciphertext C. 

The sender then sends the public session key kP and 
the ciphertext C to the receiver B, 

15 Decryption 

1* The receiver, B, determines the encryption key kdP 
by multiplying his private key cf by kP, 

20 8. The receiver, B, can then retrieve the message N by 
decrypting the ciphertext C with the encryption key 
kdP. 

During the entire exchange, the private key d and the 
25 seed key k remain secret so that even if an interloper 
intercepts the session key kP he cannot derive the 
encryption key kdP from B's public key dP. 



4. 

5 



5. 

10 
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Elliptic curve cryptosystems can thus be implemented 
employing public and private keys and using the ElGamal 
protocol. 



5 The elliptic cuirve cryptography method has a number 

of benefits. First, each person can define his own 
elliptic curve for encryption and decryption, which gives 
rise to increased security. If the private key secxirity 
is compromised, the elliptic curve can be easily 
10 redefined and new public and private keys can be 

generated to return to a secure system. In addition, to 
decrypt data encoded with the method, only the pareuneters 
for the elliptic curve and the session key need be 
transmitted. 

15 

One of the drawbacks of other public key systems is 
the large bandwidth and storage requirements for the 
public keys. The implementation of a public key system 
using elliptic curves reduces the bandwidth and storage 

20 requirements of the public key system because the 
parameters can be stored in fewer bits. Until now, 
however, such a scheme was considered impractical due to 
the computational difficulties involved and the 
requirement for high speed calculations. The computation 

25 of icP, dP and kdP used in a key exchange protocol 
require complex calculations due to the mathematics 
involved in adding points in elliptic curve fields. 



SUBSTITUTE SHEET 



WO%/04602 



PCT/CA95/(MM52 



9 

Computations on an elliptic curve are performed 
according to a well known set of relationships. If Jir 
defines any field, then an equation of the form 

♦ a^xy ♦ a^y » jc^ + ajX^ + a^x + , where each of the 

5 coefficients a^ lie in K, defines an elliptic curve over 

K. If J? is the set of points on this curve, then an 
abelian group can be defined on the set rU{0} , where O 
is a special element not occurring in E* 0 acts as the 
zero element of the group. If P ~ (x,y) , then -P « (jc, -y) 

10 in the case of an odd characteristic, and for two points 
P and 0 on the curve where C> # ± P, the sum P + ^ is the 
third point on the curve where the line joining P and O 
again meets the curve. If P ^ 0, then the tangent line 
is used. As in any abelian group, we use the notation nP 

15 to denote P added to itself n timqs if n is positive, 
and -P added to itself | n \ times if n is negative, and 
OP - 0. 



If is a finite field, then elliptic curves over 
20 can be divided into two classes, namely superslngular and 
non-supersingular curves. If F^j is of characteristic 2, 

i.e. q^2^ , then the classes are defined as follows. 

1) The set of all solutions to the equation 
25 ay = + -bx -t^ c where a,b,c ^ , a ^ 0 , together with 
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a special point called the point at infinity O is a 
supersingular curve over F^. 

ii) The set of all solutions to the equation 
5 y^ + xy»x^ + ax^ + b where a,b £ s 2>#0 , together with a 

special point called the point at infinity 0 is a 
nonsupersingular curve over F.. 



10 we obtain an additive abelian group. The addition of two 
points P{x^,y^) and 0{x2»yz) for the supersingular 

elliptic curve E with + ay = + lix + c is given by the 
following: - 



-P - ix^.Yx P + O^O-fP^P for all P e 

If C> « ix^^y^) e E and Q ^ -P, then the point 
representing the sun of P + 1?, is denoted {x^,y^] , where 



By defining an appropriate addition on these points, 



15 



If P « (x^,y^) € E; then define 




or 




(P - 0) 
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and 



or 



y, = e X3) ® © a {P 



O) 



5 

The addi-tion of two points P(x^,y^) and ^(j^^yj) for 

the nonsupersingular elliptic curve * xy " + ax' ♦ b 
is given by the following :- 

10 If p = (jq.yj) e E then define -P « (Xj, y^ + x^) . For all 
Pe£,0 + P- P40-P. IfC>« (JCi.y,) e r and 0 * -P, 
then P 0 is a point (Xj.yj) , where 

15 or 

(P « C» 
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and 




(Xi ® X3) e X3 0 (P 0) 



or 




5 



Accordingly it can be seen that computing the sum of 
two points on E requires several multiplications, 
additions, and inverses in the underlying field F,, In 
turn, each of these operations requires a sequence of 
10 elementary bit operations 

When implementing an ElGamal or Dif f ie-Hellman 
scheme with elliptic curves, one is required to compute 
JcP «p4-p + + p (P added k times) where Jc is a 

15 positive integer and P € E. This requires the 

computation of (X3,y3) to be computed k**l times. Even if 
alternative techniques such as "double and add"* are 
utilised, it is still necessary to compute the addition 
of two points several times, each of which requires 

20 multiplications, additions and inverses in the underlying 
finite field. For large values of k which are typically 
necessary in cryptographic applications, this has 
previously been considered impractical for data 
commun i cat ion . 



SUBSTITUTE SHEET 



wo 96/04602 



PCT/CA95WM52 



13 

It is an object of the present invention to provide 
a method of encryption utilizing elliptic curves that 
facilitates the computation of additions of points while 
providing an adequate level of security in an efficient 
5 and effective manner* 

The applicants have developed a method using a 
modified version of the Dif f ie-Hellman and ElGamal 
protocols defined in the group associated with the points 

10 on an elliptic curve over a finite field. The method 
involves formulating the elliptic curve calculations so 
as to make elliptic curve cryptography efficient^ 
practical and viable, and preferably employs the use of 
finite field processor such as the Computational Method 

15 and Apparatus for Finite Field Multiplication as 

disclosed in U.S. Patent 4,745,558. The preferred method 
exploits the strengths of such a processor with its 
computational abilities in finite fields. The inventive 
method struct\ires the elliptic curve calculations as 

20 finite field multiplication and exponentiation over the 
field . In the preferred method, a normal basis 

representation of the finite field is selected and the 
calculations which can readily be performed on a finite 
field processor. 

25 

The inventors have recognized that the computations 
necessary to implement the elliptic curve calculations 
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can be performed efficiently where a finite field of 
characteristic 2 is chosen » 



When computing in a field of characteristic 2, 
5 i.e* i**;^ , squaring is a linear operation, i.e. (A+B)^ is 
+ B^. By adapting appropriate representations, the 
computation of the squared terms required in the addition 
of two points is greatly simplified. In particular, if a 
normal basis representation is chosen, squaring can be 
10 achieved through a cyclic shift of the binary vector 
representing the field element to be squared. 



Moreover, computing inverses in i'^- can be 
implemented with simple shift and XOR operations by 
15 selection of an appropriate representation. In some 
implementations, the computation of an inverse can be 
arranged to utilize multiple squaring operations and 
thereby improve the efficiency of the computation. 

20 When such computations are performed using a normal 

basis representation of the finite field, the inventors 
have also recognized that the elliptic curve calculations 
are fturther simplified with the computations presented in 
this form, the applicants have realized that specialized 

25 semiconductor devices can be fabricated to perform the 
calculations. With the calculations presented in such a 
form, additions in the field can be efficiently 
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performed in one clock cycle utilizing a simple XOR 
operation. 

Multiplications can be performed very efficiently in 
5 only 13 clock cycles where n is the number of bits being 
multiplied. Furtheirmore, squaring can be efficiently 
performed in 1 clock cycle as a cyclic shift of the bit 
register. Finally, inverses can easily be computed, 
requiring approximately log^ii multiplications rather than 

10 the approximately 2n multiplications required in other 
arithmetic systems. 

The inventors have also recognized that the 
bandwidth and storage requirements of a cryptographic 
15 system utilizing elliptic curves can be significantly 

reduced where for any point P(x,y) on the curve, only the x 
coordinate and one bit of the y coordinate need be stored 
and transmitted, since the one bit will indicate which of 
the two possible solutions is the second coordinate. 

20 

The inventors have also recognized when using the 
ElGamal protocol that messages need not be points on the 
curve if the protocol is modified such that the message M 
is considered as a pair of field elements HtMj and each is 
25 operated on by the coordinates (x^y) of the session 

encryption key kdP in a predetermined manner to produce 
new field elements CiCj that represent the ciphertext C. 
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The receiver can then extract the message M ^ (m^^m^) by 

applying the inverse transformation of the predetermined 
manner. Although this may require an inverse operation 
in the field, they may be performed efficiently in the 
5 field Fjtw , and in particular when operating with the 

processor noted above. 

To assist in the appreciation of the implementation 
of the present invention , it is believed that a review 
10 of the underlying principles of finite field operations 
is appropriate. The finite field Fj is the number system 
in which the only elements are the binary ntunbers 0 and 1 
and in which the rules of addition and multiplication are 
the following: 



15 



20 



0+0-1 + 1- 0 

0 + 1-1 + 0-1 
0X0*1X0 = 0X1 

1 X 1 - 1 



These rules are commonly called modulo-2 arithmetic. All 
additions specified in logic expressions or by adders in 
this application are performed modulo-2 as an XOR 
operation. Furthermore, multiplication is implemented 
25 with logical AND gates. 
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The finite field F^^ where m is an integer greater 

than 1, is the number system in which there are 2" 
elements and in which the rules of addition and 
multiplication correspond to arithmetic modulo an 
5 irreducible polynomial of degree m with coefficients in 
Fj. Although in an abstract sense there is for each m 
only one field F^f the complexity of the logic required 

to perform operations in F^m depends strongly on the 

particular way in which the field elements are 
10 represented. These operations may be performed using 
processors implemented in either hardware or software 
with dedicated hardware processors generally considered 
faster. 

15 The conventional approach to operations performed in F^ 

is described in such papers as T« Bartee and D. 
Schneider, ^^Computation with Finite Fields", Information 
and Control, Vol, 6, pp. 79-98, 1963. In this 
conventional approach, one first chooses a polynomial 

20 P(X) of degree m which is irreducible over Fj*, that is, 

P(X) has binary coefficients but cannot be factored into 
a product of polynomials with binary coefficients each of 
whose degree is less than m. An element A in F^ is then 

defined to be a root of P(X) , that is, to satisfy P(A)«0. 
25 The fact that P(X) is irreducible guarantees that the m 
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elements A° = 1, A, A^, ... of Fj. are linearly 

independent over T2* 

For the purposes of illustration, the example of F^i 

5 will be used with the choice of P(Jr) = -Y^ + + 1 for the 
irreducible polynomial of degree 3. The next step is to 
define A as an element of Fjj such that + A + 1 « 0. 

The following assignment of unit vectors is then made: 
A° = 1 » [1,0,0] 
10 A^ = [0,1,0] 

A^ « [0,0,1] 

An arbitrary element B of Fji is now represented by 
the binary vector [Jbj' -^1 '-^o^ with the meaning that 
15 B « Ib^, b^t b^] « jbjA^ + JbjA + Jbj,. 

If we represent a second element C - [c^, c^, Cq] , it 
follows that fl C - [2)2 © Cj, © b^ © • 

20 Thus, in the conventional approach, addition in 

is easily performed by logic that merely forms the 
modulo-2 sum of the two vectors representing the elements 
to be summed component-by-component. Multiplication is, 
however, considerably more complex to implement. 
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Continuing the example, from the irreducible 
polynomial it can be seen that ^ A 1 and A^ ^ A^ A 
where use has been made of the fact that -1 « +1 in F(2) • 
In hardware, multiplication can be simplified by taking 
5 advantage of the special feature of a finite field 

that there always exists a so-called normal basis for the 
finite field. That is, one can always find a field 
element N such that N ,N^, ... are a basis for F^. 

Every field element B can be uniquely written as 

10 fl » Vi^^*'^ + . • . b^N^ ^ b^N^ + b^ - [Jb^i i>2'Jbi.i>o] 

where l)^, Jb^^Jb^, . • are binary digits* 

For example, in the finite field F21, if we let 
[1,1,0] 

15 

Element Field Normal Basis Representation Normal basis 





[0,0,0] 




[0,0,0] 




(1.0,0] 




[1,1,1] 


20 


[0,1,0] 


N*N' * N* 


[0,1,1] 




[0,0.1] 


N *■ 


(1,0,11 




[1,1,0] 


N 


[1,0,0] 




[1,0,11 


N*N* 


[0,1,0] 




[0,1,1] 


N 


(1,1,01 


25 


[1,1,1] 


N' 


[0,0,1] 
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Then, if B = l^at-x* • • * ^i>2,b^,bf^] and 

C= [c^j, . . . , Cj, c^, Cg] are any two elements of in 

normal basis representation, then the product 
D B X C ' [d^^, . . . , dj, d^^, dp] has the property 

5 that the same logic circuitry which when 

applied to the components or binary digits of the vectors 
representing B and C produces d^^ will sequentially 

produce the remaining components dj^2' • • • ' dj, d^, d^ of the 

product when applied to the components of the successive 
10 shifts of the vectors representing B and C. 

As illustrated in U.S. Patent 4,745,566 for 
Computational Method and Apparatus for Finite Field 
Multiplication, multiplication may be implemented by 
15 storing bit vectors B and C in respective shift registers 
and establishing connections to respective accumulating 
cells such that a grouped term of each of the expressions d^ 

is generated in respective ones of m accumulating cells. 
By rotating the bit vectors B and C in the shift 
20 registers and by rotating the contents of the 

accumulating cells, each grouped term of a respective 
binary digit d^ is accumulated in successive cells. Thus 

all of the binary digits of the product vector are 
generated simultaneously in the accximulating cells after 
25 one complete rotation of the bit vectors B and C. 
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One attribute of operating such a processor is that 
in the field F^, is that squaring is a linear operation 
in the sense that for every pair of elements B and C in 
F^, (B + C) 2 » + • It is the case for every element B 

5 of F^ that B^' ^ B. 



In particular in a normal basis representation, 
squaring an element involves a cyclic shift of the 
vectors representation of the element, i.e. if 

10 B« (jb^i, . . .,2>2,i3i,jbo] then « [^2' • - • '^'^i*-bo'^i»-il • 



Thus when using the processor exeiQ>lified above, 
squaring may be achieved in one cycle. Moreover , this 
general characteristic of F^m, where squaring is a linear 

15 operation, may be exploited in other isplementations, 

such as software, where a normal basis representation is 
not used. 



As noted above, the inventors have taken advantage 
20 of the efficiency of the mathematical operations in F^ 

in the implementation of an elliptic cxirve encryption 
scheme. The applicants have developed a method of 
formulating the elliptic curve calculations so as to make 
elliptic curve cryptography efficient, practical and 
25 viable. The preferred method employs the use of a finite 
field processor such as the Computational Method and 
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Apparatus for Finite Field Multiplication as disclosed in 
U-S, Patent 4,745,568. The method couples the attractive 
cryptographic characteristics of elliptic curves with the 
strengths of the field processor through its 
computational abilities in finite field F^. The 

inventive method structures the elliptic curve 
calculations as operations, such as multiplication and 
exponentiation, over the field where F^*, which can 
readily be calculated on a finite field processor. 

An embodiment of the invention will now be described 
by way of example only with reference to the accompanying 
drawings in which: 



15 Figure 1 is a diagram of the transmission of an 

encrypted message from one location to another, 

Figure 2 is a diagram of an encryption module used 
with the communication system of Figure l, 

20 

Figure 3 is a diagram of a finite field processor 
used in the encryption and decryption module of Figure 2. 

Figure 4 is a flow chart showing movement of the 
25 elements through the processor of Figure 3 in computing 
an inverse function. 
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Figure 5 is a flow chart shoving movement of 
elements through the processor of Figure 3 to compute the 
addition of two points. 



5 An embodiment of the invention will first be 

described utilising an ElGamal key exchange protocol and 
a Galois field F^us to explain the underlying principles. 
Further refinements will then be described. 



10 SYStem CQffippn^ntg 

Referring therefore to Figure 1, a message M is to 
be transferred from a transmitter 10 to a receiver 12 
through a communication channel 14. Each of the 
15 transmitters 10 and receiver 12 has an 

encryption/decryption module 16 associated therewith to 
implement a key exchange protocol and an 
encryption/decryption algorithm. 



20 The module 16 is shown schematically in Figure 2 and 

includes an arithmetic unit 20 to perform the 
computations in the key exchange and generation. A 
private key register 22 contains a private key, d, 
generated as a 155 bit data string from a random number 

25 generator 24, and used to generate a public key stored in 
a public key register 26. A base point register 28 
contains the coordinates of a base point P that lies in 
the elliptic curve selected with each coordinate (x, y) , 
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represented as a 155 bit: data string. Each of the data 
strings is a vector of binary digits with each digit 
being the coefficient of an element of the finite field 
in the noxnaal basis representation of the coordinate. 

5 

The elliptic curve selected will have the general 
form + xy « X* + ax' + b and the parameters of that 
curve, namely the coefficients a and b etre stored in a 
parameter register 30. The contents of registers 22, 24, 
10 26, 28, 30 may be transferred to the arithmetic xmit 20 
under control of a C.P.U. 32 as required. 



The contents of the public key register 26 are also 
available to the communication channel 14 upon a suitable 

15 recpiest being received. In the simplest implementation, 
each encryption module 16 in a common security zone will 
operate with the same curve and base point so that the 
contents of registers 28 and 30 need not be accessible. 
If further sophistication is required, however, each 

20 module 16 may select its own curve and base point in 
which case the contents of registers 28, 30 have to be 
accessible to the channel 14. 



The module 16 also contains an integer register 34 
25 that receives an integer k, the session seed, from the 

generator 24 for use in encryption and key exchange. The 
module 16 has a random access memory (RAH) 36 that is 
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used as a temporary store as required during 
computations . 



The encryption of the message M with an encryption 
5 key kdP derived from the public key dP and session seed 
integer k is performed in an encryption unit 40 which 
implements a selected encryption algorithm. A simple yet 
effective algorithm is provided by an XOR function which 
XOR's the message m with the 310 bits of the encryption 
10 key kdP. Alternative implementations such as the DES 
encryption algorithm could of course be used. 

An alternative encryption protocol treats the 
message m as pairs of coordinates m,,m2, each of 155 bit 
15 lengths in the case of F^m, and XOR's the message m|,m2 

with the coordinates of the session key kdP to provide a 
pair of bit strings (m, ® x©) (mj © yo) . For f tirther 
security a pair of field elements ZjZj are also formed 
from the coordinates (Xbyo) of kdP« 

20 

In one embodiment, the elements z,Z2 are formed from 
the concatenation of part of Xq with part of y^ for 
example, Z| « Xoj||ya2 and Zj = ^Ivoi 
where Xqi is the first half of the bit string of Xq 
25 is the second half of the bit string of Xq 

yoi is the first half of the bit string of yo 
y^a is the second half of the bit string of yo 
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The first elements z, and when treated as field 
elements are then multiplied with respective bit strings 
(m, ® Xq) and (xu^ B y^) to provide bit strings Cj Cj of 
ciphertext c. 
5 i,e. Cj « z, (mj ® Xq) 

Ci « Z2 (mj © Yo) 



In a preferred ixnplexnentation of the encryption 
protocol, a function of Xq is used in place of Yq in the 
10 above embodiment. For example the function is 
used as the second 155 bit string so that 

and 

15 Zi^X^xUcSi 

where x^^ is the first half of 
is the second half of 

20 This protocol is also applicable to implementation 

of elliptic curve encryption in a field other than Fj., 

for example Zp or in general Fp.. 



Where Zp is used it may be necesseury to adjust the 
25 values of x© and yo or x^ to avoid overfow in the 
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multiplication with and Zj. Conventionally this may be 
done by setting the most significant bit Xq and F^m or yo 
to zero. 

5 Key generation, exchange and encryption 

In order for the transmitter 10 to send the message 
H to the receiver 12^ the receivers public key is 
retrieved by the transmitter 10* The public key is 

10 obtained by the receiver 12 computing the product of the 
secret key d and base point P in the arithmetic unit 20 
as will be described more fully below. The product dP 
represents a point on the selected curve and serves as 
the public key. The public key dP is stored as two 155 

15 bit data strings in the pviblic key register 26. 

Upon retrieval of the public key dP by the 
transmitter 10, it is stored in the RAM 36. It will be 
appreciated that even though the base point P is known 
20 and publicly available i the attributes of the elliptic 
curve inhibit the extraction of the secret key d. 

The transmitter 10 uses the arithmetic unit 20 to 
compute the product of the session seed k and the public 
25 key dP and stores the result, kdP, in the RAM 36 for use 
in the encryption algorithm. The result kdP is a further 
point on the selected curve, again represented by two 155 
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bit data strings or vectors, and serves as an encryption 
key. 

The transmitter 10 also computes the product of the 
5 session seed k with the base point P to provide a new 
point kP, the session public key, which is stored in the 
RAM 36. 

The transmitter 10 has now the public key dP of the 
10 receiver 12, a session public key kP and an encryption 
key kdP and may use these to send an encrypted message. 
The transmitter 10 encrypts the message M with the 
encryption key kdP in the encryption unit 40 implementing 
the selected encryption protocols discussed above to 
15 provide an encrypted message c. The ciphertext c is 

transmitted together with the value kP to the encryption 
module 16 associated with receiver 12. 

The receiver 12 utilises the session public key kP 
20 with its private key d to compute the encryption key kdP 
in the arithmetic unit 20 and then decrypt the ciphertext 
C in the encryption unit 40 to retrieve the message N. 

During this exchange, the secret key d and the 
25 session seed k remain secret and secure. Although P, kP 
and dp are known, the encryption key kdP caimot be 
computed due to the difficulty in obtaining either d or 
k. 



SUBSTITUTE SHEET 



wo 96/04602 



PCT/CA95/0W52 



29 

The efficacy of the encryption depends upon the 
efficient computation of the values kP, dp and kdP by the 
arithmetic unit 20. Each computation requires the 
repetitive addition of two points on the curve which in 
5 turn requires the computation of squares and inverses in 

operation of the Arithmetic Unit 



10 The operation of the arithmetic unit 20 is shown 

schematically in Figure 3. The unit 20 includes a 
multiplier 48 having a pair of cyclic shift registers 42, 
44 and an accumulating register 46. Each of the 
registers 42, 44, 46 contain M cells 50a, 50b.. .SOm, in 

15 this example 155, to receive the m elements of a normal 
basis representation of one of the coordinates of e.g. x, 
of P. As fully explained in U.S. Patent No. 4,745,568, 
the cells 50 of registers 42, 44 are connected to the 
corresponding cells 50 of accumulating register 46 such a 

20 way that a respective grouped term is generated in each 
cell of register 46. The registers 42,44,46 are also 
directly interconnected in a bit wise fashion to allow 
fast transfers of data between the registers. 

The movement of data through the registers is 

25 controlled by a control register 52 that can execute the 
instruction set shown in the table below: 
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TABLE 1 
INSTRUCTION SET 



15 



20 



30 



40 



50 



Operation 



Size 



Clock Cycles 



Field Multiplication 
HXSLT 

10 Calculation of Inverse 
HQOSBSE 



I/O 

WRITE <A|B or C) 
RBAO(A,B or C) 

Elementary Register 



155 bit blocks 



24 multiplications 



5-32 bit transfers per 
10 clock cycles 



read/write to registers 



155 bit parallel 
operation 



156 

approx. 3800 
10 



2 clock cycles 
per transfer 



Udle) 
25 NOP 



Rotate {K,B or C) 
Copy 
(M-B) 

35 (Ai-B) 
(BKJ) 

SWAP (A«»B) 
CLEAR (A,B or C) 
SET (A,B or C) 
45 ADD (AeB) 
ACCUKOIATB 



The unit 20 includes an adder 54 to receive data 
from the registers 42,44,46 and RAM 36, The adder 54 is 
an XOR function and its output is a data stream that may 
55 be stored in RAM 36 or one of the registers 42, 44. 

Although shovm as a serial device, it will be appreciated 
that it may be implemented as a parallel device to 
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Improve computing time. Similarly the registers 42,44,46 
may be parallel loaded. Each of the registers 42,44,46, 
is a 155 bit register and is addressed by a 32 bit data 
bus to allow 32 bit data transfer in 2 clock cycles and 
5 the entire loading in 5 operations. 

The subroutines used in the computation will now be 
described. 

10 a) MwltiPlic^tion 

The cyclic shift of the elements through the 
registers 42, 44 m times with a corresponding shift of 
the accumulating register 46 acctimulates successive group 
15 terms in respective accumulating cells and a complete 
rotation of the elements in the registers 42, 44, 
produces the elements of the product in the acctimulating 
register 46. 

20 b^ Squaring 

By operating in and adopting a normal basis 

representation of the field elements, the multiplier 48 
may also provide the square of a number by cyclically 
25 shifting the elements one cell along the registers 42. 
After a one cell shift, the elements in the register 
represent the scpiare of the nximber. In general, a number 
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may be raised to the power 2' by cyclically shifting g 
times through a register. 



£l Invgrsion 

5 

Computation of the inverse of a number can be 
performed efficiently with the multiplier 48 by 
implementing an algorithm which utilises multiple 

squaring operations. The inverse X'^ is 
10 represented as X^"'^ or jfZ'z'^'-i* . 



If m-"! is considered as the product of two factors 
g,h then X'^ may be written as Jif2i2**-i) 

p^"^ where /3 ■ X^. 

15 

The exponent 2'*-l is equivalent to 



The term 2«-l may be written as 




so that 



2ia 
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P 



and 



is denoted 7 



This tern nay be conputed on nultiplier 48 as shown 
5 in Figure 4 by initially loading registers 42, with the 
value X. This is shifted 1 cell to represent fi (i.e. X^) 
and the result loaded into both registers 42, 44. 

Register 44 is then shifted to provide 0^ and the 
10 registers 42, 44 nultiplied to provide P^^^ in the 
accunulating register 46. The nultiplication is obtained 
with one notion, i.e. am bit cyclic shift, of each of 
the registers 42, 44, 46. 



15 The accumulated term P^*^ is transferred to 

register 44 and register 42, which contains 0^ is shifted 
one place to provide fi^. The registers 42, 44 are 
multiplied to provide . P^*'** . 



20 This procedure is repeated g-2 times to obtain 7. 

As will be described below, 7 can be exponentiated in a 
similar manner to obtain 
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This term can be expressed as 



As noted above, 7 can be exponentiated to the 2* by 
shifting the normal basis representation g times in the 
5 register 42, or 44. 



Accordingly, the registers 42, 44 are each loaded 
with the value y and the register 42 shifted g times to 
provide y^' . The registers 42, 44 are multiplied 
10 to provide y.y*' or y^*^' in the accumulating 
register 46. This value is transferred to the register 
44 and the register 42 shifted g times to provide 



15 The multiplication will then provide yi*2»*a*» 

Repetition of this procedure (h-l)g-i times produces the 
inverse of X in the accumulating register 46. 

From the above it will be seen that squaring, 
20 multiplying, and inverting can be effectively performed 
utilising the finite field multiplier 48. 
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Addition of point: P to itself -f usino iiy^^ 
subroutines 

To compute the value of dP for generation of the 
5 public key, the arithmetic unit 20 associated with the 
receiver 12 initially computes the addition of p + p. as 
noted in the introduction, for a nonsupersingular curve 
the new point Q has coordinates (Xj^Yj) where 



To compute Xj, the following steps may be implemented 
as shown in Figure 5. 

The m bits representing X, are loaded into register 
42 from base point register 28 and shifted one cell to 
the right to provide . This value is stored in 

RAM 36 and the inverse of computed as described 

above. 

The value of is loaded into register 44 

and the parameter b extracted from the parameter register 
30 and loaded into register 42. The product bx^^ is 
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computed in the accumulating register 46 by rotating the 
bit vectors and the resultant value XOR'd in adder 52 

with value of xl stored in RAM 36 to provide the 

normal basis representation of X3. The result may be 
5 stored in RAM 36. 

A similar procedure can be followed to generate Y3 by 
first inverting Xj, multiplying the result by Y, and 
XORing with X, in the adder 52. This is then multiplied 
10 by X3 stored in RAM 36 and the result XOR'd with the value 
of X3 and to produce Yj. 



The resultant value of (X3, Y3) represents the sum of 
P -I- P and is a new point Q on the curve. This could then 
15 be added to P to produce a new point Q' . This process 
could be repeated d-2 times to generate dP. 

The addition of P + Q requires the computation of 
(X3,Y,) where 



20 



This would be repeated d-2 tines with a new value 
for Q at each iteration to conpute dP. 
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Whilst in principal this is possible with the 
arithmetic xmit 20, in practice the large nvuabers used 
make such a procedure infeasible. A more elegant 
approach is available using the binary representation of 
5 the integer d. 

goiapMta^tAon tT9^ 2P 

To avoid adding dissimilar points P and the 
10 binary representation of d is used with a doubling method 
to reduce the niuober of additions and the complexity of 
the additions. 

The integer d can be expressed as 

15 d« V Aj2^Xi6(0,l) and dP - y^k^(2^P) i.e. 

jSo i-o 

X^*P+A^i2*-^P. . . X325p+X222p+Xi2P+XoP 



The values of X are the binary representation of d. 

20 Having computed 2P, the value obtained may be added 

to itself, as described above at Figure 5 to obtain 2^P, 
which in turn can be added itself to provide 2*P etc. 
This is repeated until 2'P is obtained. 
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At each iteration, the value of 2^ is retained in 
RAM 36 for use in subsequent additions to obtain dp. 

The arithmetic unit 20 performs a further set of 
5 additions for dissimilar points for those terms where X 
is 1 to provide the resultant value of the point (x^,y^) 
representing dP. 



10 



15 



If for example k*5, this can be computed as 2^P ^ p 
or 2P + 2P + P or Q + Q + p. Therefore the result can be 
obtained in 3 additions; 2P « Q takes i addition, 2P + 2P 
= Q + Q = R takes 1 and R + P takes l addition. At most 
t doublings and t subsequent additions are required 
depending on how many X are 1. 

Performance of Arithmetic units 2Q 



For computations in a Galois field F^m 

it has been found that computing the inverse takes 
20 approximately 3800 clock cycles. 

The doubling of a point, i.e. the addition of point 
to itself, takes in the order of 4500 clock cycles and 
for a practical implementation of a private key, the 
25 computation of the public key dP may be computed in the 
order of 1.5 x 10^ clock cycles. With a clock rate 
typically in the order of 40 mHz, the computation of dP 
will take in the order of 3 x lO'^ seconds. This 
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throughput can be enhanced by bounding the seed key k 
with a HaiDxaing weight of, for example, 20 and thereby 
limit the number of additions of dissimilar points* 

5 Computation of session public kev kP and eneryptiffn 

The session public key kP can similarly be computed 
with the arithmetic unit 20 of transmitter 10 using the 
10 base point P from register 28. Likewise, because the 
public key dP is represented as a point, (Xj^y^) , the 
encryption key kdP can be computed in similar fashion. 

Each of these operations will take a similar time 
15 and can be completed prior to the transmission. 

The recipient 12 is similarly required to compute 
dkP as he received the ciphertext C \i^ich again will take 
in the order of 3 x 10*^ seconds, well within the time 
20 expected for a practical implementation of an encryption 
unit. 

The public key dP, and the session key kP are each 
represented as a 310 bit data string and as such require 
25 a significantly reduced bandwidth for transmission. At 
the same time, the attributes of elliptic curves provides 
a secure encryption strategy with a practical 
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implementation due to the efficacy of the arithmetic unit 



20. 



Curve selection 

5 

a) The selection of the field f^. 

The above example has utilised a field of 2*" and a 
non-supersingular curve. The value 155 was chosen in 
10 part because an optimal normal basis exists in F^m 

over Fj. However, a main consideration is the security 
and efficiency of the encryption system. The value 155 
is large enough to be secure but small enough for 
efficient operation. A consideration of conventional 

15 attacks that might be used to break the ciphertext 
suggests that with elliptic curves over F^m , a 
value of m of about 130 provides a very secure system. 
Using one thousand devices in parallel, the time taken to 
find one logarithm is about 1.5 x lO" seconds or at least 

20 1500 years using the best known method and the field 

Fj"* • other techniques produce longer run times. 

b) Supersincrular v. Nonsupersin milar Curv^« 

2S A comparison of attacks on data encrypted using 

elliptic curves suggests that non-supersingular curves 
are more robust than supersingular curves. For a field 
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F^k , an attack based on the method suggested by 
Henezes, Okamoto and Vanstone in an article entitled 
"Reducing elliptic curve logarithms to logarithms in 
finite field" published in the Proceeding 22 Aiuiual ACH 
5 Symposium Theory Computing 1991, pp. 80-89, (The MOV 
attack) shows that for small values of k, the attack 
becomes subexponential* Most supersingular curves have 
small values of k associated with them. In general 
however, non-supersingular curves have leurge values of k 
10 and provided k>log^q then the MOV attack becomes less 
efficient than more conventional general attacks. 

The use of a supersingular curve is attractive since 
the doubling of a point (i.e. the case where P » Q) does 
15 not require any real time inversions in the \inderlying 
field. For a supersingular curve, the coordinates of 2P 

are - and - (ii^)u, 0 x,) ©y,©a. 

Since a is a constant, a'^ and a'^ is fixed for a given 
20 curve and can be precomputed. The values of jti 

and can be computed with a single and double 

cyclic shift respectively on the multiplier 48. However, 
the subsequent addition of dissimilar points to provide 
the value of dP still rec^uires the computation of an 
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"3=(^^)«-x©^ and 



(jq © jfj) © © a 



Accordingly, although superslngular curves lead to 
5 efficient implementations, there is a relatively small 
set of superslngular curves from which to choose, 
particularly if the encryption is to be robust. For a 
superslngular curve where m is odd, there are 3 classes 
of cuzve that can be considered fturther, namely 
10 y^ + y - 

y^ + y « + X 

y^ + y = x' + x + l 



However, a consideration of these curves for the 
15 case where m » 155 shows that none provide the necessary 
robustness from attack. 

Enhanced security for superslngular curves can be 
obtained by employing quadratic extensions of the 
20 underlying field. In fact, in F, where g = 2"° , i.e. a 
quadratic extension of , amongst the 

superslngular cxirves, there are four which xuider the MOV 
attack require confutation of discrete logs in i^jtio 

These cxirves provide the requisite high security and also 
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exhibit a high throughput. Similarly, in other 
extensions of subfields of i^2^fs (e.g« i'-^ji ) 

other curves exist that exhibit the requisite robustness. 
However, their use increases the digits that define a 
5 point and hence the bandwidth when they are transmitted. 

By contrast, the number of nonsupersingular curves 
of F,,q « 2^", is 2(2"^ • 1) • By selecting q « 2 i.e. a 
field i-^M , the value of a in the representation of the 

10 c\urve, y^ + xy«x^ + ax^ + b, can be chosen to be either 1 
or 0 without loss of generality. This luge choice of 
curves permits leirge numbers of curves over this field to 
be found for which the order of a curve is divisible by a 
large prime factor. In general, determining the order of 

15 an arbitrary nonsupersingular curve over F, is not trivial 
and one approach is explained further in a paper entitled 
"Counting Points on Elliptic Curves" by Nenezes, Vanstone 
and Zuccherato, Mathematics of Computation 1992. 

20 In general however, the selection of suitable curves 

is well lcno%m in the art, as exeiq)lified in "Application 
of Finite Fields", chapters 7 and 8, by Henezes, Blake et 
al, Kluwer Academic Publishers (ISBN 0-7923-9282-5). 
Because of the large numbers of such cxirves that meet the 

25 requirements, the use of nonsupersingular curves is 
preferred despite the added computations. 
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An alternative approach that reduces the nvixaber of 
inversions when using nonsupersingular curves is to 
employ homogeneous coordinates. A point P is defined by 
the coordinates (x,y,z,) and Q by the point (X2,y2,X2} 

The point (0,1,0) represents the identity 0 in 



To derive the addition formulas for the elliptic 
10 curve with this representation, we take points 

P * i^iVxiZi) and Q » (^,3^2,^2) , normalize each to 

{x^/z^s Yx/z^i 1) i (X|/^2' y^f^z* 1) f apply the previous 
addition formulas. If 

P = {x^,y^,z^) , 0 = ix^iVz^Zj^) , P,0 ^ 0, and P ^ -Q then 
15 P + 0 «= (x^,yx0Z^) where if 0, then 
» AD 

where A = x^z^ + x^z^ , B - y^z^ + y^Zj , C « A + S and 
20 D ' A^(A + aZjZa) * Z^ZyBC. 

In the case of P ^ Q, then 

yj = Xi*A * Bixl + y^z^ + A) 
25 Z3 » A^ 
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Where A = x^Zy^ and B = bz^ + . 



It will be noted that the computation of Xj y, and Zj 



does not require any inversion. However, to derive the 
5 coordinates x^.y^ in a nonhomogeneous representation, 
it is necessary to normalize the representation so that 



This operation requires an inversion that utilizes 
10 the procedure noted above. However, only one inversion 
operation is required for the computation of dP. 

Using homogeneous coordinates, it is still possible 
to compute dP using the version of the double and add 
15 method described above. The computing action of 

P * 0 , P ^ 0, requires 13 field multiplications, and 2P 
requires 7 multiplications. 



In the example above, the coordinates of the keys kP 
kdP are each transferred as two 155 bit field elements 
for i-'jiM . To reduce the bandwidth further it is 

possible to transmit only one of the co*ordinates and 
25 compute the other coordinate at the receiver. An 
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«3 



Alternative Kev Transfer 



20 
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identifier, for example a single bit of the correct value 
of the other coordinate, nay also be transmitted. This 
permits the possibilities for the second coordinate to be 
computed by the recipient and the correct one identified 
5 from the identifier. 

Referring therefore to Figure 1, the transmitter 10 
initially retrieves as the public key dP of the receiver 
12, a bit string representing the coordinate Xq and a 
10 single bit of the coordinate y^. 

The transmitter 10 has the parameters of the curve 
in register 30 and therefore may use the coordinate Xq and 
the curve parameters to obtain possible values of the 
15 other coordinate yo from the arithmetic unit 20 • 

For a curve of the form y^ + xy « x* + ax^ + b and a 
coordinate Xo# then the possible values y^y^ for yo are 
the roots of the quadratic y' + Xoy » Xq* + axg' + b. 



20 



25 



By solving for y, in the arithmetic unit 20 tvo 
possible roots will be obtained and comparison with the 
transmitted bit of information will indicate which of the 
values is the appropriate value of y. 

The two possible values of the second coordinate 
(yo) differ by Xq, i.e. y, - yj+Xo- 
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Since the two values of yo differ by x©, then y^ and 
yi will always differ where a "1" occurs in the 
representation of Xq. Accordingly the additional bit 
transmitted is selected from one of those positions and 
5 examination of the corresponding bit of values of y^, will 
indicate which of the two roots is the appropriate value. 

The receiver 10 thus can generate the coordinates of 
the public key dP even though only 156 bits aure 
10 retrieved » 

Similar efficiencies may be realized in transmitting 
the session key kP to the receiver 12 as the transmitter 
10 need only forward one coordinate, Xq and the selected 
15 identifying bit of yo- The receiver 12 may then 

reconstruct the possible values of yo and select the 
appropriate one* 

In the field t'^ it is not possible to solve for y 
20 using the quadratic formula as 2a « 0. Accordingly, 

other techniques need to be utilised and the arithmetic 
\init 20 is particularly adapted to perform this 
efficiently. 

25 In general provided Xo is not zero, if y = XqZ then 



SUBSTITUTE SHFET 



WO$6A)4602 



PCT/CA»5WM52 



48 

This may be written as2^+2 = Xo + a+ ^ c. 

i.e. -f 2 « c. 

If m is odd then either 2 = c+c*+c". +c^* 

2 = l+c*+ +c*"' to provide two possible 

values for Yq. 

A similar solution exists for the case where m is 

even that also utilises terms of the f orm C 



10 This is particularly suitable for use with a normal 

basis representation in . 

As noted above, raising a field element in F^. to a 
power g can be achieved by a g fold cyclic shift where 
15 the field element is represented as a normal basis. 

Accordingly, each value of z can be computed by 
shifting and adding and the values of yo obtained. The 
correct one of the values is determined by the additional 
20 bit transmitted. 

The use of a normal basis representation in F^ 

therefore simplifies the protocol used to recover the 
coordinate yo. 

25 
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If P = (Xq Yo) is a point on the elliptic c\irve E : 
+ xy - + ax^ + b defined over a field i-^- # then y^, is 
defined to be 0 if Xq = o; if Xo ?^ 0 then is defined to 
be the least significant bit of the field element Yo^Xq*^' 

The x-coordinate Xq of P and the bit y^ are 
transmitted between the transmitter 10 and receiver 12* 
Then the y coordinate Yo can be recovered as follows. 



iO 1. If Xo « 0 then Yo is obtained by cyclically 

shifting the vector representation of the field 
element b that is stored in parameter register 
30 one position to the left. That is, if 

^5 then ^£)^^ . . . h^ii^ii^^ 

2. If Xq 9^ 0 then do the following: 

2.1 Compute the field element c = Xq + a + bXo'^ 
in Fj*. 

20 2.2 Let the vector representation of c be 

C " Cofc-2* ♦ •CjCq. 

2.3 Construct a field element z - ZbkiZ^j- - -^iZo 
by setting 

2S z, « Co ® Zo/ 

Z2 Cj ® z,, 

2»2 = C^3 ® Z«-3* 
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2.4 Finally, compute s Xq • z. 

It will be noted that the computation of Xq' can be 

5 readily computed in the arithmetic unit 20 as described 
above and that the computation of y^ can be obtained from 
the multiplier 48. 

In the above examples, the identification of the 

10 appropriate value of yo has been obtained by transmission 
of a single bit and a comparison of the values of the 
roots obtained. However, other indicators may be used to 
identify the appropriate one of the values and the 
operation is not restricted to encryption with elliptic 

15 curves in the field GF(2*) . For example, if the field is 
selected as Zp p » 3 (mod 4) then the Legendre symbol 
associated with the appropriate value could be 
transmitted to designate the appropriate value. 
Alternatively, the set of elements in Zp could be 

20 subdivided into a pair of subsets with the property that 
if y is in one sxibset, then -y is in the other, provided 
yy^. An arbitrary value can then be assigned to 
respective subsets and transmitted with the coordinate Xq 
to indicate in which subset the appropriate value of y^ is 

25 located. Accordingly, the appropriate value of y^ can be 
determined. Conveniently, it is possible to take an 
appropriate representation in which the subsets are 
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arranged as intervals to facilitate the identification of 
the appropriate value of Yq. 

These techniques are particularly suitable for 
5 encryption utilizing elliptic curves but may also be used 
with any algebraic curves and have applications in other 
fields such as error correcting coding where coordinates 
of points on curves have to be transferred. 

^0 It will be seen therefore that by utilising an 

elliptic curve lying in the finite field GFj" and 
utilising a normal basis representation, the computations 
necessary for encryption with elliptic ctirves may be 
efficiently performed. Such operations may be 

15 implemented in either software or hardware and the 

structuring of the computations makes the use of a finite 
field multiplier implemented in hardware particularly 
efficient. 
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I Claim; 

1. A method of computing an inverse of a number x 

with a finite field multiplier operating in the finite 
5 field GF(2**) and having elements A^^ (oiKi that constitute 

a normal basis, said multiplier having a pair of m celled 
recirculating shift registers connected to a m celled 
recirculating accumulating register to generate in each 
of said accumulating register a respective grouped term 
10 of the normal basis representation of the product of a 
pair of elements located in respective ones of said 
recirculating shift registers, said method comprising the 
steps of 

a) representing the number x as a vector of binary 
15 digits X; where Xj is the coefficient of A^^ in the 

normal basis representation of x, 

b) loading in to each of said shift registers the 
vector of binary digits x^ representing the normal basis 
representation of x^, 

20 c) cyclically shifting the binary digits of a 

first of said registers one cell to provide in said first 

register a vector representing x*, 

d) rotating said vectors in said shift registers 

and CO jointly rotating said accumulating register with a 
25 m fold cyclic shift to generate in the cells of said 

accumulating register the m grouped terms representing 

the vector of the product of x^ and y^, 
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e) loading the vector from the accumulating 
register to a second of said shift registers, 

f) repeating the steps of (c) , (d) , and (e) (g-2) 
times where g is a factor of m-l to provide in said 

5 accumulating register a vector 7 which is the normal 

basxs representation of the exponentiation of 

g) loading the vector representing the normal 
basis representation of y in each of said shift 
registers, 

D h) performing a g-fold cyclic shift the binary 

digits of the vector in one of said shift registers where 
g is a factor of m-l and g.h » m-i to provide a vector 
representing y^' in said one register/ 

i) rotating said bit elements in said shift 

i registers and said accjimulating register to generate 

grouped terms of the vector representing the product of 7 
and Y*" , 

j) loading the vector from the accumulating 
register to the other of said shift registers, 

k) repeating steps h), i), and j) a total of g(h- 
1)-1 times to provide in said accumulating cell a vector 
of binary digits of the coefficients of the normal basis 
representation of the inverse of x. 
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2. A method according to claim 1 including the 
step of loading the vector representing x into one of 
said registers, performing a l cell cyclic shift to 
provide and copying the resultant vector in to the 

5 other of said registers. 

3. In a data encryption system in which the data 
is combined with an encryption key to produce ciphertext, 
a method of generating a key comprising the steps of 

10 a) selecting an elliptic curve of the form y^ + xy 

= X* + ax^ + b lying in the finite field GF2", said field 
being selected to have elements A^^ (os^i^m) that 
constitute a normal basis, 

b) representing the coordinates of a point on said 
15 curve as a set of vectors, each vector representing a 

coordinate of said point and having m binary digits, each 
of which represents the coefficient of A^^ in the 
normal basis representation of said vector, 

c) computing from addition of at least two sets of 
20 vectors an additional set of vectors to represent the 

coordinates of fxirther point on said curve, and 

d) utilising said additional set of vectors to 
derive a key for encrypting data. 

25 4, A method according to claim 3 wherein addition of 
sets of vectors involves at lest one squaring operation. 
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5* A method according to claim 4 wherein said squaring 
operation is performed on at least one of said vectors of 
one of said sets representing a point. 

5 6. A method according to claim 5 wherein said squaring 
operation is performed on combinations of vectors from a 
plurality of said sets representing respective points. 

7. A method according to claim 5 wherein each of said 
10 vectors is represented as m binary digits and squaring 

thereof is performed by a cyclic shift of said m binary 
digits. 

8. A method according to claim 7 wherein said m binary 
15 digits are stored in respective cells of a shift register 

and squaring thereof is performed by a cyclic shift of 
said m bits in said register. 

9. A method according to claim 3 wherein addition of 
20 sets of vectors involves the computation of at least one 

inverse of a vector. 

10 « A method according to claim 9 wherein said inversion 
utilises multiple squaring operations. 

25 

11. A method according to claim 10 wherein squaring 
operations are performed by a cyclic shift of binary 
digits. 
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12. A method according to claim 9 wherein computation of 
said inverse includes an exponentiation of the square of 
the vector to provide a value 7 of the form 

= pi*2*2^ 

5 where is the square of the vector and g is a factor of 
m-1. 

13. A method according to claim 12 wherein successive 
terms of said exponentiation are obtained by successive 

10 cyclic shifts of the vector. 

14. A method according to claim 13 wherein the value of 
the 7 is accximulated after each cyclic shift by 
multiplication of the shifted term with the previously 

15 accumulated value of 7. 

15. A method according to claim 12 wherein m binary 
digits representing P are stored in each of a pair of 
shift registers, one of said pair of registers being 

20 cyclically shifted and said pair of registers being 
multiplied to provide an intermediate value of 7. 

16. A method according to claim 15 wherein said one of 
said pair of registers is further cyclically shifted to 

25 provide a further successive term of said expansion and 
said further successive term multiplied with said 
intermediate value to provide a further intermediate 
value of 7. 
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17. A method according to claim 16 wherein said cyclic 
shifting and multiplication is performed g-2 times to 
complete said exponentiation of 0 and provide a value of 
7- 

18. A method according to claim 12 where computation of 
said inverse includes a further exponentiation of y of 

the form y^*»'**''- • 

Where h is a factor of m-1 such that gh - m-1. 

19. A method according to claim 18 wherein successive 
terms said fxirther exponentiation are obtained by 
successive cyclic shifts of the m binary digits 
representing 7. 

20. A method according to claim 19 wherein the value of 
said inverse is accximulated after each cyclic shift by 
multiplication of the shifted term with the previously 
accxjtmulated value of 7. 



21. A method according to claim 18 wherein m binary 
digits representing 7 are stored in each of a pair of 
shift registers, one of said pair of registers being 
cyclically shifted and said pair of registers being 
25 multiplied together to provide an intermediate value of 
said inverse. 
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22* A method according to claim 21 wherein said one of 
said pair of registers is further cyclically shifted to 
provide a further successive term of said expansion which 
is then multiplied with said intermediate value of said 
5 inverse to provide a further intermediate value thereof. 

23. A method according to claim 23 wherein said cyclic 
shifting and multiplication is performed (h-l)g-l times 
to complete exponentiation of 7. 



24. A method according to claim 3 wherein said further 
point on said curve is an integer multiple d of said 
point P and said value dP is computed by successively 
doubling multiples of P to provide terms 2'P from t«o to 



of the binary representation of d. 

25. A method according to claim 24 wherein doubling of 
multiples of p is obtained by computing 



10 



15 




where X is the coefficient 



20 



and 



'1 
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Where x,yi are the coordinates of the point 2*-* and x^y, are 
the coordinates of the point 2'p. 

26. A method according to claim 25 wherein computation 
5 of the term is obtained by a cyclic shift of binary 

digits representing X| in a normal basis. 

27. A method according to claim 26 wherein computation 
of the inverse of x,^ is computed by an exponentiation of 

10 x,^ to provide a value 7 of the form pi*2*2» ar-* 

where - x,^ and g is a factor of m-1. 

28. A method according to claim 27 wherein successive 
terms of said exponentiation are obtained by successive 

15 cyclic shifts of the binary digits representing x,^ in a 
normal basis. 

29. A method according to claim 28 wherein computation 
of the inverse of x^^ includes a further exponentiation of 

20 7 of the form y2^1+2'*22«'. • .2<*-'»«^ 

where h is a factor of m-1 such that gh « m-i. 

30. A method according to claim 29 wherein successive 
terms said further exponentiation are obtained by 

25 successive cyclic shifts of the m binary digits 
representing 7. 
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31. A method of transferring the coordinates of a point 
on an algebraic curve between a pair of correspondents 
connected by a data conmunications link comprising the 
steps of forwarding from one correspondent to another a 

5 coordinate of said point, providing at said other 

correspondent parameters of said algebraic curve, and 
computing at said other correspondent said other 
coordinate from said one coordinate and said algebraic 
curve. 

10 

32. A method according to claim 31 including the step of 
forwarding with said one coordinate identifying 
information of said other coordinate and utilising said 
identifying information and a discriminating function to 

15 determine the appropriate value of said other coordinate. 

33. A method according to claim 32 wherein said 
identifying information is a digital bit of said other 
coordinate that identifies the appropriate value of said 

20 other coordinate. 

34. A method according to claim 32 wherein said 
algebraic curve is an elliptic curve of the form 
y^ + xy « + ax^ + b and said other coordinate is 

25 determined by solving a quadratic equation to provide two 
possible values of said other coordinate, said 
identifying information indicating the appropriate one of 
said values. 
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35. A method according to claim 34 wherein said 
identifying information is a digital bit of said other 
coordinate that identifies the appropriate value of said 
other coordinate* 

5 

36. A method according to claim 31 wherein said 
algebraic curve is an elliptic curve of the form 

y^ + xy = x^ + ax + b defined over a finite field Fj"*. 

10 37. A method according to claim 36 including the step of 
forwarding with said one coordinate identifying 
information of said other coordinate and utilising said 
identifying information emd a discriminating function to 
determine the appropriate value of said other coordinate. 

15 

38. A method according to claim 37 wherein said field 
GF2" has field elements A^^ that constitute a normal 
basis. 

20 39. A method according to claim 38 wherein said other 
coordinate is determined by solving a quadratic equation 
to provide two possible values of said other coordinate, 
said identifying information indicating the appropriate 
one of said values. 

25 

40. A method according to claim 38 wherein said 
quadratic equation is solved by summing terms of the form 
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c from g = 0 to g = m-1 where c^X^^a^^ and Xo is 



said one coordinate. 

41. A method according to claim 40 wherein terms of the 
5 form c are obtained by g fold cyclic shifts of the 

normal basis representation of c. 

42. A method according to claim 32 wherein said 
algebraic curve is defined over the field Zp and said 

10 identifying information indicates the Legendre symbol of 
the appropriate value. 

43. A method according to claim 32 wherein said curve is 
defined over the field zp and the elements thereof 

15 subdivided into a pair of subsets , one of which contains 
one possible value and the other of which contains the 
other possible value, said indicating information 
identifying the subset containing the appropriate value. 

20 44. A method of encrypting a message m using a private 
key representative of a coordinate (x,y) of a point p or 
an elliptic curve, said method comprising the steps of 
representing said message m as a pair of message bit 
strings m,m2 of length corresponding to the coordinates 

25 x,y, and combining said message bit strings and with an 
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enciphering bit string derived from at least one of said 
coordinates to provide ciphertext c. 

45. A method according to claim 44 wherein said 

5 enciphering bit strings are derived from each of said 
coordinates to produce ciphertext c. 

46. A method according to claim 44 wherein said message 
bit strings are combined with enciphering bit strings 

10 derived from one of said coordinates and a function 
thereof to produce said ciphertext. 

47. A method according to claim 45 wherein said 
enciphering bit string is derived from said coordinate x 

15 and the cube x' thereof. 

48. A method according to claim 44 wherein field 
elements z are derived from at least one of said 
coordinates and modify the combination of said message 

20 bit strings and said enciphering bit string. 

49. A method according to claim 48 wherein said 
ciphertext c is of the form (0,03) where 

C| = 2,(m, ® f|(Xo)) and 
25 Ci + z^ta, ® f2(Xo)) ; 

f, (Xq) f2(x) are respective first and second 
values derived from the coordinate x and Z| and are 
respective field elements derived from the coordinate x. 



^1 IPCTfTi l-rr rt tr- 



m^O 9^04602 



PCT/CA95MMM5Z 



64 

50, A method according to claim 49 wherein f2(^) eaid 
second coordinate 

51- A method according to claim 49 wherein fjCx) is the 
5 cube of the value of the coordinate x. 

52. A method according to claim 59 wherein said field 
elements z are formed by concatenating part of each of 
said values ft(x), f2(x) • 

10 

53 • A method according to claim 52 wherein fjCx) is 
derived from the cube of the value of the coordinate x. 

54- A method according to claim 49 wherein 
15 c^^z^imj^ex^) and 

and Zi=Xoi|X2 and 

where xjxi is the counterclaim of the 

20 first half of the representation of the coordinate x and 
the second half of the cancellation of the representation 
of x^ and xjx^ is the concatenation of 

the second half of the representation of the coordinate x 
with the first half of the representation of the x'. 

25 
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